Protecting Financial Aid Data

Protecting Financial Aid Data

Theft of personal data has made headlines across the country, hitting college campuses particularly hard because of the nature of college networks, which must balance wide network access with data security.

Despite data breeches highlighted by the media, thousands of colleges have been successfully protecting personal information. One such campus is the University of South Florida, where Leonard Gude, director of Financial Aid, continuously looks for ways to increase data security.

Compared to other departments, Financial Aid's data security situation is more sensitive, says Gude, who also serves as a member of the National Association of Student Financial Aid Administrators' (NASFAA) Technology Initiatives Committee and as the association's representative on the Postsecondary Electronic Standards Council (PESC).

"The staffs of Financial Aid offices have tax returns and other financial information regarding the families, so there is an increased need to be more secure in the Financial Aid office than there is with other offices," Gude points out.

It's tricky to balance good customer service with strict data security.

NASFAA addresses this issue in its statement of ethical principles, which includes a statement that student aid administrators should "protect the privacy of students and assure the confidentiality of student records." This provision is becoming progressively more important as colleges increasingly become targets and sensitive personal data is compromised.

Developing a Control Culture

Several sessions addressed data security at PESC's third annual Conference on Technology and Standards, held in May in Washington, D.C. Speakers stressed the importance of creating a culture within the office that controls access to sensitive data. In the Financial Aid office, this means an environment where employees and students are highly aware of the importance of protecting sensitive data and the tools available to protect that data.

"Managers must ensure that employees and staff are as dedicated to protecting personal information as others are to getting that secured data," said Joe Crouse, legislative counsel for the Consumer Bankers Association.

Developing a control culture is the biggest hurdle for most organizations, noted Debbie Cherry, an information security consultant on corporate information security at KeyBank. This culture needs to be implemented from the top down and the bottom up, according to Cherry. At the top, managers must commit to creating this culture, and at the bottom the culture must be developed through education, governance, and frameworks (structures and procedures designed to protect data).

The bottom-up process is especially important for Financial Aid offices, where students must be taught the importance of not being careless with personal information. The University of South Florida works to create a control culture among students by increasing financial education through orientation sessions and other financial literacy presentations offered throughout the year.

"In those we try to discuss the importance of protecting their personal information," Gude says.

USF Financial Aid office employees are also trained on the Family Educational Rights and Privacy Act (FERPA) and other issues, as well as given educational materials on data security, which are included in their employee handbook. "We also talk to the staff and others about the dangers of identity theft and protecting themselves and others against it," Gude adds.

The control culture at the USF Financial Aid office was coincidentally heightened after an employee's identity was stolen. "That really brought the matter home for the rest of the staff," says Gude.

Limiting Access

Limiting individuals' access to the minimum amount of information needed to perform their job functions effectively is a key part of the control culture. Limiting access to personal information reduces the risk of information being lost or stolen. Determining who has access to what information is an ongoing process that depends on many factors, such as size of staff and customer service.

In a small Financial Aid office, where the entire staff must be able to perform every job function, it is impossible to limit access and still function effectively. However, in larger offices it is more likely that some employees do not need access to all information.

According to Cherry, larger institutions should have an ongoing process to determine the level of access that should be given for specific job functions. Smaller institutions should review access levels annually.

Financial Aid should work closely with the campus Information Technology office to determine various levels of access to information.

At USF, a committee of data custodians determines various levels of access to information within the database, and an assistant director in the department sits on that committee. If individuals want access to information, the committee reviews their request to find out why they need access and then makes a determination.

"There has always been some sort of review of requests for financial aid information, but the formalization through this data access committee has been intact for roughly two years," Gude says. "It is quite important for the university to know who is accessing what to ensure the data is not used for purposes that it was not intended to be used for."

The tricky part is balancing good customer service with strict data security. The USF Financial Aid office tried significantly restricting access to data and found it hampered productivity in the office, so system administrators had to back off and provide additional access.

An electronic imaging system can reduce the risk of paper with sensitive data getting into the wrong hands.

"It is really trial and error and it is really something that you develop over time," Gude says. "Once the system is up and running, you can start reducing your risk by tightening up on access in the office."

USF is looking into more ways to limit access to specific student information. One new security measure will enable the office to limit access to data elements within a screen of data in addition to limiting access to the entire screen.

"Once that is installed, we will see how we can further enhance our data security while continuing to deliver quality customer service," Gude says.

USF also limits student access to information provided by e-mail or telephone to ensure information is not given to the wrong person.

"The biggest challenge is phone and e-mail inquiries," Gude notes. "How do you know the person you're communicating with at the other end is who they say they are?"

To address this issue, the USF Financial Aid office steers students to the self-service page of the website, where they must log in before the office will deliver sensitive information over the phone or via e-mail.

Other Precautions

USF has instituted a number of other precautions to help reduce the risk of sensitive information being lost or stolen, including adopting institutional IDs instead of using Social Security numbers to identify students.

"With the concern about identity theft, I think that you'll see more and more institutions using the institutional ID rather than the Social Security number as the primary identifier," Gude says.

USF has also adopted an electronic imaging system to reduce the risk of paper with sensitive data getting into the wrong hands.

Financial Aid offices using paper records should raise awareness of privacy issues among employees so that papers are not left carelessly around the office. Further, these offices must properly dispose of paper containing sensitive data. This can mean ensuring that the company used for secure disposal adheres to strict standards, so that privacy is not compromised after trash has been taken from the office. There have been cases where disposal companies have not done this properly, and data security has been breached.

To protect sensitive data, USF also:

Secures operational parts of the office by requiring students and employees to use IDs to gain access.

Escorts any guests in the office to ensure they do not intentionally or unintentionally compromise data security.

Has installed keypads at counters, so a student can type his or her student ID instead of saying it out loud where others might overhear it.

Uses cameras, which are installed throughout the office, as an additional security measure.

USF's security measures have been successful in protecting data, but Gude and others remain vigilant and are always looking for ways to improve data security.

"Fortunately we have not had some of the incidents that a few other schools have experienced and hopefully we can avoid that in the future," Gude says. "We are always looking at our business processes and our activities to see how we can improve them and improve the security on them."